back to article That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?

Fresh revelations from whistleblower Edward Snowden suggest that the NSA can crack TLS/SSL connections, the widespread technology securing HTTPS websites and virtual private networks (VPNs). Although reports from the New York Times and its allied publications held off on the specifics, it may all mean that US spooks can …

COMMENTS

This topic is closed for new posts.
  1. Maharg

    Well, I guess it would happen sometime, but I assumed we would have known about it!

    1. Steve the Cynic

      "I assumed we would have known about it!"

      Why would we have known about it?

      The alphabet soup agency that achieved this sort of thing isn't likely to crow about it. The whole point of cracking someone's cypher is that you work hard to prevent people from discovering that you've done it, otherwise they change the keys or the cypher, or they do something else entirely.

      Look at the efforts expended in WWII to conceal the British Ultra decrypts - planes were routinely sent up to be seen "spotting" ships that the British knew would be there, so the Axis powers didn't realise it was because of decrypted Enigma that their plans were well-known.

      1. Yet Another Anonymous coward Silver badge

        re: Why would we have known about it?

        Because somebody in the US would have been bribed/blackmailed into handing it over to criminal gangs - and so billions would be being stolen from online bank accounts.

        Or the Russians/Chinese would also have cracked it and everyone in the world would have boxes that decrypted American military communications leading to defeat at the hands of apparently insignificant 3rd world forces.

        The army would then have turned up at NSA headquarters with a bunch of tanks asking why the NSA had let their soldiers die by not telling the army that their codes were crap.

        1. Anonymous Coward
          Anonymous Coward

          Re: re: Why would we have known about it?

          "The army would then have turned up at NSA headquarters with a bunch of tanks..."

          I'd pay to see that.

          1. h3

            Re: re: Why would we have known about it?

            The British Army almost took over the UK in the late 70's in a similar manner to the Egyptian situation.

            (Well they were planning to and they never did).

            1. Ted Treen

              Re: re: Why would we have known about it?

              As a 63-yr old, I lived through the Wilson & Callaghan governments, when Dennis Healey was our very experienced Chancellor - experienced 'cos an emergency budget was an almost fortnightly event, and said 'governments' were little more than a proxy for dictation by the TUC - many of whose dinosaurs have subsequently been shown to have received 'funding' from Moscow, and the end result was the decimation of much of British industry as a result of extreme left union activity with Britain's economic policies dictated by the IMF, to whom Healey had put Britain deeply in hock.

              I know management weren't entirely faultless either, but I anticipate a plethora of downvotes from kiddies too young to have been there, and who have swallowed the liberal-left establishment's distortion of history, hook, line & sinker.

              I can reliably say that had the army taken over, it would not have been an unpopular move.

              1. Allan George Dyer

                Re: re: Why would we have known about it?

                @Ted Treen Just to be clear, I downvoted you and I am younger, but, being 50 I DO remember the Heath , Wilson and Callaghan governments. Rule by the thugs that were tourturing suspects in Northen Island would not have been welcome, neither is the fascist-right's historical distortions.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: re: Why would we have known about it?

                  "Rule by the thugs that were tourturing suspects in Northen Island would not have been welcome"

                  These "suspects" being the sort of scum that would happily blow up a bus of kids, I don't think anyone other than bleeding heart liberal idiots like you gives a flying fuck if the IRA scum got their fingernails ripped out.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: re: Why would we have known about it?

                    The IRA were indeed a bunch of turds. But the problem with the 1970s was that our own security forces had a nasty little habit of beating the crap out of the wrong people. Or imprisoning people for the unspeakable crime of being Irish on a train the day after a bombing (the Guildford Four spring to mind).

                    The day we can know, with 100% certainty, whodunnit, you can get the pliers out. But until then, I prefer the rule of law. History has a habit of proving that 100% one day looks like 95% the next and before you know it is down at rather-dubious.

                2. Ted Treen

                  Dear, Dear, Mr Dyer

                  By 'suspects' one assumes you are talking about the misty-eyed Sons of Erin - the noble freedom fighters struggling valiantly against the evil forces of foreign imperialist occupation...

                  Certainly you can't mean the murdering bastards who bravely kidnapped and murdered young mothers, and despatched many an innocent child through the unannounced bomb and so on...

                  Fascist right? - by your age now, you would have been around 10 at the time of Heath's government - it appears your political maturity ceased developing at around that time.

                  1. Daniel B.

                    @Ted Treen

                    By 'suspects' one assumes you are talking about the misty-eyed Sons of Erin - the noble freedom fighters struggling valiantly against the evil forces of foreign imperialist occupation...

                    I'm guessing he was talking about the Guildford Four. Of course, the kind of conservatives who are blindly thinking everything is a liberal conspiracy are the same kind of people that will have both confirmation bias and selective memory on what really happened back then.

                    It is noticeable that people that are around your same age are basically saying you're full of shit, which speaks loads of how off the mark you are...

                    1. Allan George Dyer

                      Re: @Ted Treen

                      @Daniel B., actually I was avoiding mentioning the Guildford Four, because they were stitched up by the Police, not the army. There were other incidents of torture, as Ted admits, committed by the army in Northern Ireland.

                      I'm sad to say that too many people on every side of every conflict mistake revenge for justice.

                  2. Allan George Dyer

                    Re: Dear, Dear, Mr Dyer

                    No, Mr Treen, I'm talking about suspects, who are innocent until proven guilty, not guilty, and we're going to get them to admin it. There was violence and injustice on both sides, the torture was more fuel on the fire, not a solution.

              2. Anonymous Blowhard

                Re: re: Why would we have known about it?

                @Ted Green

                Another downvote from a middle aged geezer! I grew up in the 60's, 70's and 80's (took a lot of growing up, still working on it); it's hard to argue that the unions were in charge when you see what they're like now, wheras we are still ruled by a priveleged few from a small number of public schools.

                The unions weren't faultless, but the way that British industry was managed and led was just atrocious, just look at the motor industry; a classic case of clueless management who thought that being British meant the world owed them a living, they thought that winning WW2 meant they didn't have to listen to upstart management ideas from Americans about quality or German ideas about managing in partnership with unions. Today the UK makes great cars, and in large numbers too, but the companies are all foreign owned (American, German and Japanese).

                1. Ted Treen
                  Facepalm

                  @Anonymous Blowhard

                  Ted Green - who he?

                  Ted Treen

                2. Destroy All Monsters Silver badge
                  Holmes

                  Re: re: Why would we have known about it?

                  @Anonymous Blowhard

                  I don't know about any of this but the idea that managing "in partnership with unions" is a good idea is readily disproven, at least for some kinds of "partnership". One just has to check what happened to the north american auto industry where the UAW reigns supreme. It's dead. It only exists because the Obama government pumps tax money into it (and then you have the "cash for clunkers" hidden subsidy, which is another effort at splaying Attila of economics). Southern automotive factories are doing well though. Well, at least they did until "Government Motors" came unto the scene. It's hard to fight your own government.

                  The moment a violent strike occurs, in which "scabs" are being turned away, the hiring of replacement workers is being "discouraged", and the company's capital is held hostage if not degraded, you are in mobster territory.

                  "Today the UK makes great cars, and in large numbers too, but the companies are all foreign owned"

                  That is NOT a problem. Ultimately, the ownership must be measured at shareholder level. I guess quite a few investment pools from the UK are holding shares.

                  Sherlock icon in replacement of a nonagressive shrug.

                  1. Sirius Lee

                    Re: re: Why would we have known about it?

                    @destroy Absolutely. Blowhard is not entirely wrong (who is) but there are many examples of UK businesses killed by union intransigence. The Leyland business was poorly managed but what a dreadful place to have been a manager. It died because union leaders progressed by bashing managers and what managers want to work in that environment? Only those which cannot be gainfully employed elsewhere.

                    Think of the Sunderland dock yards, once a leading builder of ocean going iron ships and now gone. Why? Because unions would not adapt their practices and accept welding as an alternative to riveting after WWII. The liberty ships had shown the viability and economy of welding but it would likely have meant job losses on Weir-side so were resisted vigorously. A classic case of winning the battle but losing the war.

              3. PJI
                Stop

                @Ted Treen

                I'm 63 too. I was a student in London then, having been a policeman and a bank clerk. So I had a wide view, despite our relative youth. I can say quite definitely that you are spouting rubbish. You exaggerate the frequency and, that being a much more liberal time than today and rather close to the Prague Spring and its aftermath and other events in people's memories at the time, a military coup, apart from being unprecedented in GB (and do not forget the Irish troubles were getting into their stride) would not have been welcomed. Far from it; pacifism was growing.

                An interesting point is that the Americans were imagined to be in there somewhere. They classed us as a socialist and so evil country,while funding and arming the IRA.

                There were certainly difficulties (economic, union, oil crises) that led to Thatcherism. But it later emerged that the productivity increased during the notorious 3 day week and hospitals and so on did not close down etc.. Things were not wonderful. But for the average person, they were far from your implications and the society would not have welcomed a military intervention.

                And I do remember a sugar shortage and even the local baker not havi genough bread. But the duration of that was short.

              4. PJI

                Re: re: Why would we have known about it?

                Whatever else I think of Wilson, I am infinitely grateful that he refusedAmerican attempts to I glove us in Vietnam. If only modern government had as much spine and independence of thought.

              5. Otto is a bear.

                re: Why would we have known about it?

                @Ted Treen

                Having been a liberal activist from the mid-seventies, and being at university during the three day week, I cannot think of any of my many friends of all political colours, and indeed serving military officers, of one who would have welcomed a military coup to solve the countries problems. In fact, I suspect it would have destroyed the country, and divided our military and police forces, as it would today.

                1. Matt Bryant Silver badge
                  Boffin

                  Re: Otto is a bear re: Why would we have known about it?

                  "....Having been a liberal activist from the mid-seventies, and being at university during the three day week, I cannot think of any of my many friends of all political colours, and indeed serving military officers, of one who would have welcomed a military coup to solve the countries problems. In fact, I suspect it would have destroyed the country, and divided our military and police forces, as it would today....." Strangely, there were plenty of people that thought a military coup (and resultant civil war) couldn't happen in "moden" Spain in 1936, or even more modern Portugal in 1974, or the series of coups in the late Eighties and collapse into civil war in the Nineties in the much more modern former Yugoslavia. All involved splits in loyalty in the police and in the military. It may not have been welcomed, but if the course of events had led to a coup then it would not have been beyond belief that many serving officers and men would have followed orders in the hope of restoring order and a "better" economic solution.

              6. TheOtherHobbes

                Re: re: Why would we have known about it?

                >I can reliably say that had the army taken over, it would not have been an unpopular move.

                I was there, and I can safely say that any coup would have relied on 'useful' people like you.

                And you clearly have no idea what a military dictatorship is like for most of the people living under it.

                >I know management weren't entirely faultless either

                No, you don't. You think management are true blue patriots who make occasional regrettable but undestandable mistakes, while the workers are all rabid prosperity-hating trots.

                Meanwhile, the real infiltration was happening in the intelligence services and in the upper classes.

                Burgess, Philby, Maclean all defected. Blunt managed to get himself a nice little pardon because he knew the royals. The fifth man remains unknown.

                Welcome to utopia.

                Still, I expect things are better today, and the spooks are much more trustworthy now, and only have our best intentions at heart. Obviously.

              7. M.D.
                FAIL

                Re: re: Why would we have known about it?

                @Ted Treen

                Ho-Hum, here we go again. It's all the fault of the Unions. Yup. Union activity destroyed Manufacturing. Ah-huh. Just like that other (even MORE Union dominated Country...) Germany. Yup.

                Er...hang on...

              8. Magnus_Pym

                Re: Ted Treen

                "As a 63-yr old, I lived through the Wilson & Callaghan governments, when Dennis Healey"

                Blah, Blah Conservatives this, Blah Blah Labour that. Blah Blah blah Management, Blah blah blah Unions.

                Both the union wars of the seventies and the decline of the British motor industry can be traced to the us-and-them attitude gleefully entered into by all parties as a method of gaining the attributes of power while passing all responsibility to others. If you think that was all in the old days then you haven't paid much attention to the was modern politics works. Bad things have happened but when was the last time a politician or leader of industry was found to have been responsible for any of them? There is always someone else to take the blame.

              9. Chris 3
                Facepalm

                Re: re: Why would we have known about it?

                Let's see.

                In the 1979 election the Conservatives won 44% of the popular vote. I'm going to assume that a military coup would have been less popular than voting in a new government democratically.

                Therefore, your "reliable" assertion that a coup would have had popular support is poppycock. You don't have to be a liberal-left kiddy to downvote a poor argument.

          2. Trevor_Pott Gold badge

            Re: re: Why would we have known about it?

            Um...the NSA is is part of the American military...

            1. Matt Bryant Silver badge
              Boffin

              Re: Pottie Re: re: Why would we have known about it?

              "...the NSA is is part of the American military...." Not quite. It is part of the Department of Defence and reports to the Director of Nation Intelligence, and has a military officer as head (the Director), but his deputy and the majority of staff are civillians, not enlisted soldiers, and do not hold military ranks. Indeed, the NSA is reputedly the largest recruiter of civillian mathematicians in the World. Legally, they are civil servants, not soldiers.

        2. ecofeco Silver badge

          Re: re: Why would we have known about it?

          "Because somebody in the US would have been bribed/blackmailed into handing it over to criminal gangs - and so billions would be being stolen from online bank accounts."

          Haven't you been keeping up with current events?

          Google: 2012 total losses to online bank hacking

      2. Anonymous Coward
        Anonymous Coward

        Indeed.

        Loose lips sink ships...

    2. Charles Manning

      It doesn't have to happen sometime

      The idea that a crack will eventually be discovered comes from a supposition that some algorithm can be found.

      Number/computational theory can be used to prove that some problems don't have solutions (for example, there is no O(n) or O(1) sort).

      I don't know what the theory is behind encryption, but it isn't inevitable that a cheap solution can be found.

      Perhaps the encryption has been "cracked" and a cheaper solution has been found to the extent that messages of interest can be decrypted in minutes or hours. That is way different from the encryption being "shattered".and decryption being so fast that huge traffiic volumes can almost be treated as clear text.

      1. Ratbite Jakes

        Re: It doesn't have to happen sometime

        Good point Charles, I think that you highlight the fundamental requirement here, not too broken, just broken enough. If it were too cheap, why simply everybody would have one!

        If I wanted to do it, and I knew who I wanted to do it to, and lets say I could break or had compromised certain symmetric ciphers, and I had a really good reason like, oh I don't know... I wanted their stuff/they were mean/nothing good on TV.... I'd probably want to look at the initiation to someone's connection to one of the alluded to ' big four'. Unless the password the user enters is encrypted before being sent using a non-vulnerable mechanism, you would only have to do the work needed to get the password. This would not risk leaving an audit trail or digital evidence on the target's Computer.

        Of course it doesn't really even matter if you broke the crypto, you might have pinched the web servers private certificate, especially if they have one of those nice wildcard certificates, and that makes it easier in terms of work rate, or you could just go popping boxes. However, breaking the crypto on then authentication process and nicking the credentials sounds less risky if you stored all the log in sessions, and you'd need much less storage than recording everything.

        You now have credentials, and you can log in to that service...If you had a trusted and capable man/woman/ladyboy/educated cocker spaniel or similar working for the service provider, they could be aware of who you were looking at and clean up server side for you.

        Once you are in, you can peruse the accounts, insert yourself into conversations, map their social networks, introduce them to new 'freinds' at just the right time in their lives. Just think Alan Partridge just after his divorce in the travel tavern, looking at ladyboys...

        Real world maintaining this sort of persistent access to a communication means, and using it for entrapment was just the sort of shady shenanigans the tabloids got up to with Steve Coogan and others to get hold of really important news! I for one was embettered by these revelations and was quite surprised that ES,GG etc didn't take this to Teh NoTW... Oh, hang on.

        Quite worrying if you consider that we predicate a lot of the security that we use on TLS, and we may or may not protect the credentials in transit.

        Maybe we should have the capability to have two computers using a successor to TLS use a DH key exchange like mechanism to establish a shared secret.

        They could then use that with a custom and rotatable cipher to encrypt the data, this could be one from a choice of many and which one to use would also be decided using a shared secret generated using our good friend DH. Maybe we could even have reasonable ciphers generated on the fly, that were somewhat resistant to automated cryptanalysis?

        Anyway, rambling food for thought... Now I must go and see Alpha Papa. :D

        PS How about a kick starter for an all in one trusted Pi based pocket HSM, data diode and live Linux distro all in one handy pocket sized brick?

      2. Arthur the cat Silver badge
        Trollface

        Re: It doesn't have to happen sometime

        "for example, there is no O(n) or O(1) sort"

        Radix sort is O(n). Algorithms 101.

        "I don't know what the theory is behind encryption"

        but I'll make comments about it anyway, because this is the internet and that doesn't require informed debate.

        1. Anonymous Coward
          Anonymous Coward

          Re: It doesn't have to happen sometime

          In my experience, Radix sort isn't commonly taught in algorithms courses (a couple of the well-established, top 10 universities).

  2. Anonymous Coward
    Anonymous Coward

    Look at NSA-approved crypto

    If the NSA can crack an algorithm, they assume it is possible for others to do so as well and so they won't use it.

    For protecting classified information, NSA requires Type 1 cryptography be used. Type 1 is divided into Suite A and Suite B. Suite A algos are NSA-developed and classified. Suite B algos are public, and approved only if properly implemented.

    Presently, the ONLY algo approved for Type 1/Suite B is AES

    Source: http://en.wikipedia.org/wiki/Type_1_product

    1. Anonymous Coward
      Anonymous Coward

      Re: Look at NSA-approved crypto

      I keep seeing this argument used, and it's about time someone challenged it.

      AES cannot be assumed to be secure "because it's approved for use by the NSA".

      The NSA have no reason to not approve it for use if they can crack it, they already know (and are cleared to know) the contents of all US secure communications. So claims about it must be unbreakable because they approve it, are ridiculous.

      More interestingly the mere thought that we keep seeing expressed about how their approval "shows it must be secure" is a nice way for them to have governments whos communications they shouldn't be seeing use it.

      Maybe that's why the Guardian (and co) are using face to face meetings (including associated flights to other countries) to now communicate with sources and journalists.

      1. Eguro

        Re: Look at NSA-approved crypto

        That is not an impossible angle.

        But you do not address the point made in the first post: The NSA will have to assume that any encryption they can break - others can break.

        We can alter your argument a little and say that anything they approve to be encrypted using this encryption is stuff they don't mind the people they're assuming know how to crack the encryption know about.

        The stuff they want to really keep secret they encrypt using their own, the stuff they want to keep secret from some/most they will encrypt with AES. If the argument is angled like that, then it's possible the NSA wants the public to think AES is unbroken, whilst secretly knowing that it is broken, and are willing to pay a price for this privilege.

        This would of course imply them having secrets that they willingly "share" with (what I have to assume should be regarded as) enemies.

        1. Anonymous Coward
          Anonymous Coward

          Re: Look at NSA-approved crypto

          But you do not address the point made in the first post: The NSA will have to assume that any encryption they can break - others can break.

          I can address that for you if you want.

          1) they list it as "approved" because they are ok with its use by their own agencies to feed disinformation to other governments who they think might be able to break it?

          2) they list it as approved because they know (from breaking the communications of their competitors) that only they can break it?

          Take your pick.

          1. Anonymous Coward
            Anonymous Coward

            @obnoxiousGit

            You don't seem to realize that your two points are in conflict.

            1) they list it as "approved" because they are ok with its use by their own agencies to feed disinformation to other governments who they think might be able to break it?

            2) they list it as approved because they know (from breaking the communications of their competitors) that only they can break it?

            What if "from breaking the communications of their competitors" that they "know" only they can break it, but it turns out the competitors are feeding THEM disinformation and the fact they can break AES or whatever is a very well kept secret.

            Remember how closely the Allies guarded the secret that they'd broken Enigma. There were often some tough decisions where soldiers were knowingly sacrificed to keep the secret, rather than change strategies and keep them safe but risk having Germany figure out by those actions that we'd broken Enigma.

            If China, for instance, had broken AES they would only act on that in a way that might possibly alert the US/NSA to that fact in the most dire circumstances. They wouldn't use that ability to gain a small edge in trade negotiations.

            The NSA can only know for sure if others HAVE broken an encryption system, they can't know others have not. It is sort of like proving God. It is possible to prove there is a god (if he decided to make himself known and submit to various tests of omnipotence like turning off the sun, stopping gravity or whatever else scientists came up with) But it is impossible to prove there is no god.

            1. Anonymous Coward
              Anonymous Coward

              Re: @obnoxiousGit

              @DougS

              You don't seem to realize that your two points are in conflict.

              I understand completely the two points I gave you conflict, the point was there could be any number of reasons why the NSA would approve an algorithm that they know they can break.

          2. ja

            Re: Look at NSA-approved crypto

            If they can break it, they must assume that someone else will be able to soon enough for it to be a problem. Remember Venona?

            There seem to be a lot of flies in this ointment. Have they broken commercial cyphers, are they leveraging exploits or are they attacking important traffic by brute-force? Probably a little bit from each column.

          3. stratofish

            Re: Look at NSA-approved crypto

            "1) they list it as "approved" because they are ok with its use by their own agencies to feed disinformation to other governments who they think might be able to break it?

            2) they list it as approved because they know (from breaking the communications of their competitors) that only they can break it?

            Take your pick."

            3) Not all NSA decryption staff are cleared to read confidential documents, therefore clearing it for use for their own intelligence data proves in itself that it has not been cracked or thought to be uncrackable in the near future.

      2. John Smith 19 Gold badge
        Meh

        Re: Look at NSA-approved crypto

        "AES cannot be assumed to be secure "because it's approved for use by the NSA"."

        It can be assumed secure because it's an open standard that's been reviewed by a lot of people who are not with the NSA.

        Never trust a crypto algorithm that is not published. "Security by obscurity" is an immediate fail flag.

        Look up the "Clipper" chip BS.

        1. Anonymous Coward
          Anonymous Coward

          Re: Look at NSA-approved crypto

          It can be assumed secure because it's an open standard that's been reviewed by a lot of people who are not with the NSA.

          So its been reviewed by lots of people who haven't had access to, and who don't have access to the depth of research (decades worth of techniques, which are only known about inside the NSA) that is available to NSA cryptanalyists.

          I like how there's a post here stating about how the NSA strengthed DES because they were 15 years ahead of what everone else knew at the time, yet you all assume they're not still at least 15 years ahead in being able to take on AES.

          AES cannot be assumed to be safe, just because the NSA approve it.

        2. Anonymous Coward
          Anonymous Coward

          Re: Look at NSA-approved crypto

          "It can be assumed secure because it's an open standard that's been reviewed by a lot of people who are not with the NSA."

          I think there is some confusion here; both of you are making a similar argument. AES could be secure, but how about the implementation? If you are using an appliance that has AES built-in, sure AES is being used, but how secure was the implementation. The NSA could have influenced the implementation of it mainly at the RNG. Make the RNG weak and that severely hurts the algorithm.

          We don't know what the NSA has been able to do and with whom.

        3. Paul 135

          Re: Look at NSA-approved crypto

          One problem I can see is that, given much encryption is now hardware-accelerated, is the result of an AES encryption operation by your Intel chip the same as what would happen if you were to carry out the operation using only software adhering to the published standard?

          1. John 172
            FAIL

            Re: Look at NSA-approved crypto

            It would be identical, it's a standard! Even a single bit difference would cause a cascade failure in the block chain resulting in a garbage decryption. Just because it's encoded using one type of hardware doesn't necessarily mean an identical implementation is operating at the other end if the link.

      3. Anonymous Coward
        Anonymous Coward

        Re: Look at NSA-approved crypto

        If the NSA knew of or suspected a weakness in AES, they wouldn't approve it for use, because they wouldn't want our government using something that someone else might know how to break.

        Remember how the NSA fiddled with DES after IBM came up with it back in the 70s, and everyone assumed for years that they'd weakened it so they'd be able to crack it? Some 15 years later when the research world 'discovered' differential cryptanalysis, it turned out that the NSA had in fact strengthened DES against that particular attack.

        Demonstrating that they were at least 15 years ahead of the research world at that time. Who knows how far ahead they are now? But unless they've got reason to know where the capabilities of the Russians, the Chinese and so on currently are and are likely to be over the next decade, they can't approve something they know of weaknesses in unless they don't care if their adversaries might also know of the same weaknesses.

        I guess it comes down to whether you believe the NSA feels it is more important for US government encryption to be secure, or for the NSA to be able to spy on as much as possible by hoping everyone uses their approved but known broken encryption standard. If the NSA can't crack AES with a sufficiently long key, and terrorists use it for communication, that may not be a problem since the NSA may be able to hack into their computers and steal the key, take advantage of weaknesses in the implementation of AES that render it weaker than it would otherwise be, and so on.

        1. Anonymous Coward
          Anonymous Coward

          Re: Look at NSA-approved crypto

          Now I've addressed your points, how about you address one of mine.

          If AES-256 is secure and the NSA can't crack it, how come the Guardian have taken to flying people all over the world for face to face meetings?

          Why have the Guardian publicly stated that no Journalist should entrust anything to online communications of any kind, and stated that all online communications should be assumed to be compromised?

          If AES-256 is secure the Guardian would know that, Mr Snowden would have known it. The Guardian could have implemented an AES-256 system for communicating with people in remote locations... couldn't they?

          1. Eguro

            Re: Look at NSA-approved crypto

            "Why have the Guardian publicly stated that no Journalist should entrust anything to online communications of any kind, and stated that all online communications should be assumed to be compromised?"

            This might be down to the quite scary amount of brute-force which can be applied.

            If you're working on the NSA-story and you send information encrypted online, then it is highly likely to be intercepted and stored somewhere. Now if they cannot "easily" decrypt it, then they will have the data and be able to work on getting hands on the decryption key(s), or finding weaknesses in the implementation. Since not all the people who work at the Guardian are likely to be specialists trained in encryption -and a crash-course probably wont suffice, it's might simply be too insecure to do online.

            Sure this could still be done with face-to-face meetings, but in those cases the NSA doesn't already have the info to decrypt. They might wind up with a decryption key and none or only some of the data.

            I will grant you that your point has merit, and you could be close to (or at) the truth. I am merely trying to defend the opposite view. I really have no way of knowing what is or isn't secure in encryption.

            1. Anonymous Coward
              Anonymous Coward

              Re: Look at NSA-approved crypto

              @Eguro

              I really have no way of knowing what is or isn't secure in encryption.

              That's the truth right there.

              None of us have anyway of knowing what is or isn't secure anymore, assumptions that AES 'must be' because the NSA approve it are in my opinion flawed.

              In the abscence of knowing if AES is secure, it must be assumed not to be.

          2. CAPS LOCK

            Re: Look at NSA-approved crypto

            The Grauniad can't manage to install spell checking, how are they going to manage AES-256? Don't be fooled, flying people around the world is theatre, not journalism.

        2. Allan George Dyer

          Re: Look at NSA-approved crypto

          @DougS, you're right. But it also depends on their relative levels of arrogance, complacency and paranoia.

          Arrogance and complacency: We were 15 years ahead in the 70's, we must be 20-30 years ahead now. We [can't find a flaw | have found a flaw] in AES, no-one else can find a flaw, therefore we are safe telling eveyone AES is OK.

          Paranoia: If we can do it, they can do it. If we can't do it, they can still do it.

          Of course, Snowden has dented their arrogance and fueled their paranoia, but they are probably in denial, and it's on operations, not on the crypto theory. If you see a large order for rubber hosepipes, they've figured out their next move.

  3. url

    Huawei et al. are looking a lot better

    It was obvious from day one that the US's bleating was a) projection, b) fear that they would lose their grip on (what they believe is) a precious precious thing.

    Here's hoping they sink in the shit they swim in.

    1. Paul Crawford Silver badge

      Re: Huawei et al. are looking a lot better

      No, it is not making Huawei, etc, look much better as they are almost certainly doing the same as Cisco but for the Chinese.

      What it should be doing is drawing the attention of nations to the fact that closed/secret designs are likely to have issues of trust. Or incompetence. In fact, the latter is just as big a threat to most folk.

    2. Vociferous

      Re: Huawei et al. are looking a lot better

      If you think Huawek et al aren't even more deeply in bed with the Chinese secret service than the US companies are with the NSA, then you're a child.

  4. brooxta

    Open barn door security

    From the article quoting Dave Anderson, senior director at Voltage Security:

    "So, is it possible that the NSA can decrypt financial and shopping accounts? Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error."

    Why bother cracking the https session when all you have to do is read the unencrypted email confirmations? Many vendors (I'm looking at you in particular Amazon) don't even bother to encrypt their outgoing SMTP traffic* with this sort of sensitive information in it. Who wants to bet the NSA had a hand in implementing that particular policy?

    * Just go to "view source" or "show headers" on the last email you received from the vendor of your choice to see what I mean.

    1. Christian Berger

      Re: Open barn door security

      Well sure, business transactions are an open book, so they don't bother with breaking SSL there, they probably get regular database dumps from those companies anyhow.

      But there are way more important and sensitive types of information out there. Just think about porn browsing habits and he like.

    2. Anonymous Coward
      Anonymous Coward

      Re: Open barn door security

      And how would they encrypt their outgoing email to you? They'd need to implement a key submission system so that customers could attach their S/MIME key (or some other mail encryption implementation, each one supported making the system more complicated) to their profile so that the emails can only be read by their intended customer. How many e-commerce sites have you ever used that offered this? Why would you think NSA had a hand in this? I've worked in e-commerce for almost 15 years and never once had a customer ask if we would consider adding S/MIME support, and the added complexity of the backoffice systems would make this impractical and unjustifiable for most store setups.

      Do you buy lots of bomb making kit and copies of Catcher in the Rye from Amazon? Or is it the latest Rod Stewart CD you'd rather not have the NSA know about?

  5. The Man Who Fell To Earth Silver badge
    Alert

    The other takaway

    The other takeaway from these latest revelations as published in the New York Times is the NSA's infiltration of the cryptography community to influence implementations. In other words, many of the "talking heads", perhaps even ones The Register talks to, are NSA moles who will try to misdirect the community from improving the standards and such.

    1. Anonymous Coward
      Anonymous Coward

      Re: The other takaway

      Which makes me curious about the "consensus" emerging that the spooks have only influenced implementations and not the security algorithms themselves.

      Much of that seems to stem from Bruce Schneier's analysis. He's had access to the documents (so I guess he should know as well as anyone apart from the spooks themselves), but until I read his blog I had formed a rather different impression from the published press articles. That initial impression was that algorithms had indeed been compromised, although we don't know which ones. That detail is presumably something the press have omitted, if they know at all. Schneier does speculate that maybe elliptic curve algorithms, which the NSA seems to have been pushing, should be regarded with suspicion, but that seems to have been missed by many.

      So is this "only the implementations are suspect and well-implemented crypto is still strong" line correct? Or is it mis-direction to keep us using weak algorithms? Recent experience suggests paranoia is your friend, so I tend to think the latter. Indeed, in the back of my mind, I'm asking which of these experts is working for the spooks.

  6. Destroy All Monsters Silver badge

    Hmmm... Hacks

    Israel or Turkey:

    http://spectrum.ieee.org/telecom/security/the-athens-affair

    On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months.

    The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm... Hacks

      Considering general Greek Incompetence, that means absolutely nothing. Surely this muppet thought "my iPhone is secure, it is the most expensive one".

      This line of thinking is prevalent in corrupt circles. These people confuse money for the entire reality.

  7. chris 17 Silver badge
    Big Brother

    I Wonder if MegaUpload was taken out as they didn't allow the 3 letter agencies in through the backdoor?

    New Zealand is one of the nations in the UKUSA Security Agreement.

    Just wondering...........................

    1. Paul Crawford Silver badge

      Or the recent cases of Visa/Mastercard refusing to deal with certain VPN suppliers. Like the ones who maybe don't play ball with the USA and/or implement more secure options than the piss-poor PPPT?

      http://torrentfreak.com/paysafecard-begins-banning-vpn-providers-130825/

  8. HippyFreetard

    I have a question.

    Now that NSA snooping is a known fact, does this mean any UK-based company that still uses Gmail/Google Apps, or Outlook/Office 365, or iPads, or any of that stuff, is suddenly no longer PCI compliant and therefore in breach of the Data Protection Act?

    Can we start suing our banks for using Windows yet?

  9. Duncan Macdonald

    Weak random number ? Compromised certificates ?

    The public key encryption methods use a strong encryption to protect the session key which is used to encrypt the message. If NSA have managed to get their chums at M$ or PGP to weaken the session key so that instead of 128 bits of randomness it only has 32 bits of randomness and the other 96 bits are derived by an algorithm that is known to the NSA, it would then be trivial for the NSA to decode the messages. For an outside attacker that did not know that the key was weakened and did not know the algorithm, the message would still appear to be secure.

    If you want an document to stay secret - encode it with a version of GnuPG that you have compiled yourself (just in case NSA have tampered with the binaries).

    Everyone should assume that the NSA has aquired the top level certificates for all the major internet companies (Google, Microsoft, Amazon etc) either by cooperation from their management or by espionage. All communication with such companies must be assumed to be open to the NSA.

    1. Anonymous Coward
      Anonymous Coward

      Re: Weak random number ? Compromised certificates ?

      Everyone should assume that the NSA has aquired the top level certificates for all the major internet companies (Google, Microsoft, Amazon etc) either by cooperation from their management or by espionage. All communication with such companies must be assumed to be open to the NSA.

      Or by a National Security Letter, why bother with long drawn out methods when you have the sword of damoclese to dangle over the head of the CA.

    2. Anonymous Coward
      Anonymous Coward

      Re: Weak random number ? Compromised certificates ?

      "encode it with a version of GnuPG that you

      have compiled yourself"

      are you sure your compiler hasn't been backdoored? ken thomson gave himself an account on every Unix box there was...

      see reflections on trusting trust.

      1. Marvin the Martian

        Re: Simple solution --- 16,777,216 GMail logins needed.

        So to be safe, set up your own mail server: if your computer tries to login even a fraction of that many times, it goes titsup, informing you there may be a breakin attempt?

        Hm. There might be a flaw in this plan. Or it may rather be a large flaw with a little plan in it.

  10. Marvin O'Gravel Balloon Face

    And yet Snowden is labelled as a "hacker". Ironic.

  11. John Smith 19 Gold badge
    Unhappy

    Has RC4 been broken? Probably

    Bottom line. The internet needs a new series of protocols based on some new assumptions.

    a) The route and all intermediate nodes must be treated as hostile.

    b) No 3rd party certification can be trusted either. It might not coming from who you think or they may be subverted.

    c) All transfers should be encrypted by default including (and this is the tough part) the packet headers.

    d) All crypto must have a use by date when it should definitely be viewed as compromised.

    The price we pay for this may be that we end up paying for things. I'm not in principle opposed to that, provided we're looking at a micro payment system, rather than something ridiculous.

    Sorry folks, the future arrived and it's not what we thought.

    1. Charles 9

      Re: Has RC4 been broken? Probably

      But now you run into some "hard" problems.

      b) Without Trent, how can Alice and Bob be sure they're talking to each other? For all they know (even in a face-to-face encounter), Eve is posing as one of them. It's such a problem that even Quantum Encryption says you need Trent. So how do you do trust without Trent?

      c) And you notice how clunky TOR is? That's because mail can't run properly without an address. Similarly, IP packets require a destination, and that's in the header. So how do you mail an envelope when the addressee is INSIDE the envelope?

  12. Anonymous Coward
    Anonymous Coward

    "...it's no great stretch to imagine their equivalent agents in Russia, China, France, Israel..."

    China.. and Israel?

    No offence, but China has over 150 x times the population that Israel does and a yearly military budget comparable to entire cumulative total US foreign aid they have received. Israel may be great at tech stuff but hardly likely to be in the same league as China.

    1. Anonymous Coward
      Anonymous Coward

      You might be surprised to find out that probably half of the top Crypto people in the world are Israelis. So I think they just might be able to take on China as far as brains.

      1. Destroy All Monsters Silver badge
        Coat

        Plus a lot of the Great Minds are jewish.

        We need to recruit them back!

  13. Henry Wertz 1 Gold badge

    I'm curious if this is true or not...

    I've seen articles like this before speculating on weaknesses introduced to cryptosystems, being able to crack them, etc. (Of course for Clipper chip it was no rumor, it was in fact very weak to the point that the initially released chip was cracked wide open within like a day by researchers.) I'd say it's possible the NSA has introduced weaknesses in various devices or has technology to crack some cryptosystems. I'd also say it's just as likely that this is a misinformation campaign -- that the NSA likes to let hints of weaknesses float about, so people will either 1) get all fatalistic and not use crypto anyway -- why bother if it's readable anyway? or 2) Try to roll their own, which is plenty likely to be a terrible cryptosystem (if they invent their own crypto system) and probably will have implementation flaws too, unless it's written by a true crytpo expert and peer reviewed.

  14. jaycee331
    Mushroom

    End of Intenet Security as we know it?

    Wiretapping is one thing. If the NSA have unique maths or brute force supercomputer farms to achieve this, I'd be less concerned. But the idea of cheating by subverting the very algorithms, standards, softwares and hardwares we trust have placed the entire eco-system at risk. Every user and organisation across the globe is potentially compromised. Not by a wiretap per-se, but because they may be using protocols and cryptos that have been wilfully compromised.

    I can only come to one real swift, simple conclusion about this. This news effectively declared the Internet to no longer be a safe place to perform secure business transactions of any kind. That’s the real message I’m picking up here. So it is my view that any bank, merchant, e-tailer or credit card service that remains online from this day forward have assumed an implicit responsibility for choosing to do so. I’d love to see the typical “we’re secure, so it must be your fault, you’ve been phished etc” defense beat down in court against this backdrop!

    1. Anonymous Coward
      Anonymous Coward

      Re: End of Intenet Security as we know it?

      I disagree on "roll their own". They could be easily defeated if everybody invented their own cipher and used it in addition to RC4, 3DES, AES etc. Because they cannot possibly solve millions of different ciphers. They will focus for years on RC4 (or Enigma) and then hope lots of people use RC4 or Enigma.

  15. Gene Cash Silver badge

    Weakend random number generators are already here

    The Android one for example: http://www.theregister.co.uk/2013/08/12/android_bug_batters_bitcoin_wallets/

    That's not a bug, it's a feature, according to the NSA...

  16. h3

    ipsec6

    Does anybody think the reason we don't have ipv6 is the fact that ipsec6 is mandatory in the spec ?

    1. Destroy All Monsters Silver badge

      Re: ipsec6

      No it has to do with massive inertia and the fact some committee made the mistake of thinking that hassle-free backwards compatibility could be left out.

      1. ecofeco Silver badge

        Re: ipsec6

        You are both right.

  17. Skrrp

    So can we have updated browser warnings now?

    The SSL certificate this site uses is verified by one of the large Trust Authorities, so it should be considered broken.

    The SSL certificate this site uses is self-signed, so it should be considered slightly secure.

    1. Don Jefe

      Re: So can we have updated browser warnings now?

      What you don't know is that El Reg is, in fact, a front for the European Branch of the NSA. Some of the authors are deep cover CIA agents with false journalism studies degrees and the editors aren't even Human.

      Trust nothing here.

  18. Anonymous Coward
    Anonymous Coward

    http://security.stackexchange.com/questions/38493/remove-rc4-from-ssl-tls-ciphers-in-chromium

  19. Tufty Squirrel

    noise generation

    >> Previous revelations have revealed that the NSA routinely stores encrypted traffic transmitted over

    >> Tor for subsequent cryptanalysis.

    Time for some noise generation, then. A pair of apps that ping-pong encrypted chunks of random data across tor should be pretty simple to set up.

  20. Anonymous Coward
    Anonymous Coward

    Sorry guys, but can't the NSA use the same method -they used to get to the commercial entities users' data- to get to the certificate stored with the CAs? Why don't we consider the fact that the CAs are bound by the same laws that bind other commercial entities? Therefore they too will hand over data when ordered by the court.

    I don't believe that this is a weakness in the algorithm, if it was, it would have been found by now by some researcher. The NSA simply has access to the private key and certificate through the issuer.

    1. Don Jefe
      Alert

      Found by Now? Don't be so sure.

      I am not discounting your point about open source algorithms, but consider this cautionary tale. From 1923 to 1956 the entire scientific community believed there to be 24 Human chromosomes when there are in fact only 23.

      The erroneous information was peer reviewed by the greatest minds in bio sciences, there was even the original picture used for the reference count, taken though a microscope, published everywhere, plastered on school walls and in textbooks and reference manuals. Hypothesis were made, experiments conducted, research awards were given.

      For 33 years the entire scientific community was wrong. They screwed up counting to 23 even with the bloody picture reprinted for them and enlarged thousands of times.

      Make of that what you will, but these were legitimate scientists who were reviewing and using this information. A whole, whole lot of open source is created and reviewed by clever people but most won't have the research discipline an applied research scientist does. No individual and no group is immune to the risks inherent in taking someone else's word for something.

      It is incorrect to think or believe that a bunch of eyes on something is a guarantee.

      1. DropBear
        FAIL

        Re: Found by Now? Don't be so sure.

        Too bad you neglect to mention that said image actuall DOES show 48 items, and the error is rather one related to the methods and sample source used, later corrected by investigations employing entirely different methods and samples. [1]

        Having said that, the point of the sometimes missing review from peers is certainly a valid one. But trying to infer that everybody was an idiot for 33 years, scientists included, is rather disingenuous. And in the case of crypto, "nobody else bothered to check" absolutely, definitely does not apply.

        [1] - http://www.nature.com/scitable/topicpage/human-chromosome-number-294

        1. Don Jefe

          Re: Found by Now? Don't be so sure.

          I didn't mean to imply that anyone was an idiot. I was trying to get at the point that everyone took everyone else's word something was one way and never verified that to be the case. The assumption that everything beyond any given point is correct because someone said it was is risky at best. They could very well be making similar assumptions about whatever it is they are working with.

  21. Anonymous Coward
    Anonymous Coward

    I hope so

    I hope the spooks have cracked all crypto. It's in the best interest of honest, civilized people. It's all good IMO.

    1. RobHib

      @A.C. - Re: I hope so

      Don't be silly, because if they had cracked them all they be hardly likely to tell us about it.

    2. Destroy All Monsters Silver badge
      Trollface

      Re: I hope so

      Weak trolling on weak encryption?

      Supersized Weak!

    3. ecofeco Silver badge

      Re: I hope so

      I, for one, welcome the new _overlords_of_the_week_!

  22. Anonymous Coward
    Anonymous Coward

    "it's also used in Wi-Fi WEP protection"

    And we all know how secure that is!!

    An algorithm developed in 1987 that provided, at the time, essentially unbreakable encryption. But the technology (and paranoia) to calculate numbers has massively increased.

    But as history proves, build a lock and someone, somewhere, will attack it and eventually it will be broken.

    As recently highlighted even quantum crypto had a flaw, but that flaw was only found because someone decided to attack it.

    This is a continuing saga, cat and mouse...

    As the cryptography becomes more sophisticated, so does the desire so unlock whatever it contains. After all, nothing to hide, nothing to fear!

  23. Matt Bryant Silver badge
    Facepalm

    OMG, the laziness!

    The anarchist skiddies these days are just too tied to their tech, they just don't have any imagination. Everything has to be done for them, preferably by some "clever" code. A simple look through history would show them a mere update of an ancient encoding technique would suit 99% of their needs as most of it is just sending their paranoid delusions in text. It's called a book cipher. Thousands of books are now available online in digital form meaning that they can still play with their computers, and with very large books you can usually find many possible options for each word you want to encode so you can avoid statistical and pattern analysis. You could encipher a whole website and only the readers with the source book to refer to could decipher it (in real-time if they have some "clever" browser code). The random nature of the enciphering means you can throw as much computing power as you like at it in vain. And with so many texts now available in digital form you can even change source books (keys) every message if required. The only problem for the anarchists is their reading is so limited they have so few options for source books. Just a quick warning for them - 300 copies of Mao's "The Little Red Book" being downloaded at once are going to ring a few alarm bells at the NSA.

    1. Destroy All Monsters Silver badge

      Re: OMG, the laziness!

      Son.

      I am disappoint.

      1. Matt Bryant Silver badge
        Facepalm

        Re: Destroyed All Braincells Re: OMG, the laziness!

        "..... I am disappoint." And your analysis of why a book cipher would be a bad option is..... Oh, you don't have one. This is my surprised face, honest.

    2. Don Jefe

      Re: OMG, the laziness!

      I'm kind of curious about what's wrong with a book cypher. It seems like a really cost efficient and effective tool accessible to any and all. So, what is wrong with a book cypher?

      1. Anonymous Coward
        Anonymous Coward

        Re: OMG, the laziness!

        The big problem is that you have to communicate which book to use - and that communication is subject to all of the issues that any other communication has.

        A book code is after all just a variant on the one time pad.

        Of course, if you can meet up in person to communicate which book to use, you could meet up in person to swap data...

        1. Charles 9

          Re: OMG, the laziness!

          But then again, how can Alice be certain she's meeting Bob and not Eve posing as Bob (and before you bring it up, Eve's a tomboy and an expert male crossdresser)?

          The most difficult part of a secure conversation is STARTING it, because that requires a level of trust. Thing is, how do you do that in a DTA environment: one where anyone you meet could be the enemy?

      2. Matt Bryant Silver badge
        Boffin

        Re: Don Jefe Re: OMG, the laziness!

        "......So, what is wrong with a book cypher?" The first problem is letting people know which book you are using without telling those you don't want to know. That usually means you have to have some other form of secure coms first, such as a pre-arranged list of books for each date that is handed to you. The second is that your book "ages" - you only have so many options for many words in the average book, so you have to change books after a period to defeat statistical pattern analysis. Another problem is you really have to make sure you have identical books - even different editions from the same publisher could have different page layouts and wording. And the last big problem is if the listeners suspect you are using a book cipher and they capture a suspect with only one book in his possession then it's pretty much game over.

        The availability of digital downloads of books on the Internet gets round most of the problems, especially as you can carry literally hundreds of e-books in one device or not even download the e-book until required, but does not get round the problem of the secure transfer of the initial list of books.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don Jefe OMG, the laziness!

          Oh my dear Matty boy.

          Did it ever occur to you that the gubbermints have enormous libraries of digitized books at their disposal ? The Americans allegedly built the best Arab dictionary/lexicon. Not the university of Cairo or something similar.

          The entire corpus of human-written text easily fits into a large storage array these days, complete with all sorts of indices on the text.

          So your "idea" is either an evil attempt to trick people into the hands of the waterboarders and little-box-lockers, or you are simply not that smart. Mr Occam points to the last option.

          1. Matt Bryant Silver badge
            FAIL

            Re: Duck Ar5h0le Re: Don Jefe OMG, the laziness!

            ".....Did it ever occur to you that the gubbermints have enormous libraries of digitized books at their disposal ?....." You obviously did not understand how a book cipher works. You have to have the exact edition of the book. You can have a library of millions of digitised texts, and even if you run the code by checking all the books, if you have the wrong edition of the book you still get back garbage. If the book is a translation of teh original you again get back garbage. The chances of the NSA having every edition of every book on earth in every possible language are simply silly, it would require more storage and computational power than even the PRISM project, many times over. Please try thinking before triping.

            "....Mr Occam points to the last option." I suggest you stop talking to Mr Occam and loosen up the tinfoil.

  24. Sureo

    It's amazing....

    It's amazing what a lot of smart people can do, with a nearly unlimited budget. Now if they were to put their efforts to some of these problems instead:

    - pollution

    - overpopulation

    - cheap clean energy

    - global peace

    - etc

    I despair.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's amazing....

      Yes it sure would be nice to prioritize where all that money is actually going.

      Unfortunately, breaking world crypto to prevent some unknown number of dangerous, mysterious hooligans from disrupting world commerce and the American way of life (with little to no proper cost-benefit analysis) is way more exciting and fun. So far, that has been the backdrop of the 21st century, with little or no relief in sight.

      Now it looks like those banking systems we thought were keeping us all safe aren't so safe anymore.

      EPT providers and bankers must be shitting themselves right now.

      What will happen to all those electronic trillions that have been keeping us afloat?

      But going back to cash and barter will fix that soon enough. Then we can just wait for the next Robespierre to show up.

    2. Mr Young
      Pint

      Re: It's amazing....

      Don't despair - I'll go for cheap clean energy for starters

  25. Anonymous Coward
    Anonymous Coward

    Curve25519

    Roll on Curve25519!

    http://cr.yp.to/ecdh.html

  26. ridley

    "it is better to kill 100 innocent people than let one guilty person live" Vladimir Lenin

  27. Anonymous Coward
    Anonymous Coward

    Seems self-evident that they would, wouldn't they?

    We might not like it, but no-one should be surprised that the NSA can break commonly encrypted sessions like TLS/SSL should they? I mean, that's their job and to not do so would instantly make this week's Bad Guys immune from electronic eavesdropping.

    The scandal is not, repeat not that the NSA are l33t crypto haxx0rs. Nor is it that they have injected backdoors into some systems. (We've all known for a long time that the only good crypto is open crypto. I trust the mathematics of AES even if I suspect that the NSA know that by wiggling the flux capacitor just so on the dilithium crystals it can be made to reveal information. That is not a problem with AES so much as implementation.)

    The scandal is that the NSA is vacuuming up every piece of communication whether it relates to an investigation or not. Fourth Amendment be damned. Let's not get our panties in a twist about the NSA being good at their job and instead shine a light on what they truly think their job is.

  28. FuzzyTheBear

    Really ..

    To think even for a second that the spooks will let you put your hands on a cypher they cannot break is totally juvenile. the moment they will find messages they cannot break you will see black helicopters move. Military grade encryption and civilian grades are two things.If they can't break it , it's a direct threat to the security.

    At the least , someone is mighty interrested in keeping the message a secret. Raises eyebrows don't you think ?

    We all know the net is compromised 100% .Thanks Edward for confirming. A true American Hero ( Capital H )

    1. Charles 9

      Re: Really ..

      So why haven't they done anything about quantum encryption, which if performed properly is provably secure by science (the flaws in it have come from implementation flaws, not in the fundamental theory)? Unless you're saying the NSA has defied international science (including science outside US control) and created a way to break Quantum Key Distribution undetectably.

  29. Version 1.0 Silver badge

    The sky is falling?

    "That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?"

    Yes - it's been chicken salad for a while.

    1. Anonymous Coward
      Anonymous Coward

      Re: The sky is falling?

      Any references ?

      1. Charles 9

        Re: The sky is falling?

        Wiki covers the subject pretty well.

        http://en.wikipedia.org/wiki/RC4

        And relax, it's full of citations where you can get further information.

        In a nutshell, RC4 has flaws that reveal key information about the plaintext in the cyphertext. Using that, one could reconstruct the plaintext with some patience (or access to a cloud because RC4 usually doesn't have a lot of bits). Klein's attack, for example, could analyze the cyphertext from a bunch of WEP-encrypted frames and use them to recover the WEP key. Since it could be done over the air and in a short amount of time, WEP was essentially no good anymore.

  30. John Sanders

    So after all this is why the huge push towards SSL vpns.

    Because that way the spooks can get their hands on the data.

    1. Anonymous Coward
      Anonymous Coward

      Re: So after all this is why the huge push towards SSL vpns.

      Except that the US military use https, too. The have their own CAs, of course and will purge all the commercial CAs for their internal use.

      https does not necessarily need RC4. You can run it with RSA+AES, for example. Or DH-3DES.

      You are either a shill or Idiot Chicken Little.

  31. kneedragon

    I should be good and read every comment, but after 15 min... Can't say I told you so, because I didn't, or not so you'd have heard me, but I realised twenty years ago that networks are watched, and that Windows is not secure, and even if you have an open source system, you're only secure as long as nobody really wants in. I started to study computers and networks at a tertiary level in the mid 90s, and we were told, by lecturers, security is relative. If you have something they want, and they have the resources to get it, they can, and sadly, there are a number of things you can do to make it a little more difficult for them, but you can't stop them, and in part, all you do by going to big trouble over security and encryption, is highlight that you have something to hide. The fact that you've employed strong encryption is a red flag. "Be good, be honest, be law abiding, but above all, if you can't do that, then do any and all your mischief AWAY from any computers. You can make computers somewhat secure, but that's all."

    I did get very suspicious about Microsoft, when the entire weight of the US government seemed to be about to come down on them over anti-trust... and then it all just went away, like they'd come to some agreement...

  32. Otto is a bear.

    The Guardian's version

    I read the Grauniad's version of the article, railing against the fact that security agencies have broken standard internet encryption techniques, and how this was an affront to liberty, the end of the internet as we know it, a green light to criminals to do it, on the premiss that once you know something is possible, it's a lot easier to do.

    But hang on, until the internet it was not possible for ordinary citizens to seriously encrypt their communications, and if law enforcement, or the security services wanted to intercept it, they needed a warrant. The security services still monitored random telephone and radio chatter, obtaining a warrant if they needed a close look. This is still what they do, but there is a hell of a lot more chatter to monitor, so methods to monitor it have had to be developed, and as a society we need our security services to do this.

    The Grauniad thinks that the argument of criminal or terrorist use is a smoke screen, but both terrorist and criminal organisations spend money on breaking encryption, and it's recognised by security vendors that there is a war going on to keep encryption secure, thus as soon as one method is broken, a new one must be released. Breaking encryption is hard, it's much much easier to compromise the endpoints.

    Here's the thing do you want criminals and terrorists to be able to communicate in total secrecy, safe from the prying eyes of governments. Do you want people to be able to organise a riot through blackberry. No, I thought not, you can't have it both ways. I live in a safe democracy, sadly, like all things these technologies can be used by totalitarian states as well. In democracies the state apparatus can't and won't afford the kind of surveillance manpower needed to watch every one, in a dictatorship, they can afford the manpower. Your communications in the UK, USA and in fact all the major democracies are as safe as they ever have been, unless you start taking about pulling off major coke deals, or blowing up bits of the government.

  33. ecofeco Silver badge

    Like a guy once said...

    Green singles out weakening the integrity of SSL as the gravest violation of privacy; the NSA reportedly blows $250m a year working on just that.

    ...did you really think the military was spending $600 on a single toilet seat?

  34. Peter Fairbrother 1

    Some misunderstandings here.

    First, the $280 million budget of the BULLRUN "dirty tricks" program does not include the cost of the "advanced cryptanalytic capabilities" NSA is developing. We don't know exactly how much NSA are spending on that, but the combined NSA and US armed forces cryptanalytic budget is said to be just over $10 beeeelion.

    RC4? well, it ain't that great but - the NSA have lots and lots of encrypted traffic they want to decrypt. It comes in chunks called sessions - roughly, the time you "are connected to" a single website - and each session has a different key.

    If the NSA had a method to break RC4, they would have to break it again and again for each session. That's a huge amount of work. There are some other problems too, about obtaining the needed plaintext - you can't expect to break a RC4 session key from just examining the ciphertext, there isn't enough of it. You need a crib. Not impossible, but again it's a lot of work.

    It would be far more effective to attack the mechanisms by which the session keys are set up - mostly RSA, though people sometimes use ECDHE instead. The big websites only changed their RSA keys every couple of years. Break one of those and you can easily calculate several million, or even several billion, session keys.

    Personally I think they may well have found a method to break RSA - each break might be expensive, but as I said they can get millions of session keys from a single break. They may have a method to break, or partly break, ECDHE instead or as well, but my money is on RSA.

    And it doesn't have to be RSA-2048 either - there are petabytes or more of old ciphertext which NSA would love to decrypt, collected over many years, which was protected by RSA-1024. Heck, until a few weeks ago the vast majority of internet SSL/TSL sessions were only protected by RSA-1024 or equivalent. I think it's still well over 50%.

    1. Anonymous Coward
      Anonymous Coward

      Re: Some misunderstandings here.

      How do you know all of this ? Extrene Conjecture or what ?

  35. Anonymous Coward
    Anonymous Coward

    It's all good

    I hope the NSA and other government agencies working to protect the citizens are able to crack all encryption schemes. It's in the public's best interest and security.

  36. Berge

    RE: CIA cracking encryption

    Hate to tell you this, folks, but it is a certainty that any system of encryption that is sold in the US is automatically breakable by the some agency (presumably, one that spies on people regularly, and not, say, the Dept. of Transportation) in the US government. That is because it has long been literally a federal crime to sell an encryption system in the US that the the our feds can't crack.

    I learned of this back in the late 1990's when the a small company was put out of business before it was barely off the ground, because the two who started it had come up with an "uncrackable" encryption system. They were about to launch, with a demonstration at a conference on internet security that was being held overseas outside of the US. They were contacted by the CIA/NSA and told they couldn't present, as our/my government couldn't crack their code. And, they couldn't sell it, either, as they were US citizens. Their company went bankrupt. However, the kicker in the story is that they found out about five years later that the US govt. already knew how to crack their encryption system when they were told they couldn't sell it - the Feds didn't want other countries to know that the US already had the capacity to crack that level of encryption.

    By the way, there is really little that Mr Snowden has revealed about the level of surveillance that the US govt. routinely carries out that wasn't established in (an apparently little-read) book on the NSA entitled "The Puzzle Palace." Though it was written several decades ago, it lays out the very broad jurisdiction that the US Congress gave the NSA to monitor any information entering or leaving the US. Those powers started pre- internet (during or just after WWI, actually), with (snail)mail and telegraphy. The book goes on to detail how those powers had been sequentially extended to include any and all electronic communications which crossed the borders of the US. Since satellites are well outside of the boundaries of the US, any data (then, phone and TV/radio broadcasts) that were relayed via satellite were deemed fair game for US govt. interception by the US courts. It doesn't take much imagination to realize that some court or another later included internet traffic.

    As for the collection of internet addresses of individuals that corresponded with reporters for the Washington Post, again, the book mentioned above indicated that agencies like the FBI have long had the right to intercept the mail to or from any US citizen, and record the names, dates, and addresses with whom the person was corresponding. They couldn't open/read that mail without a court order, nor could they substantially delay the delivery of that mail. As above, I can't imagine a court not allowing the extension of the concept of recording snail mail addresses to recording email addresses.

    This is also undoubtedly the reason that the US govt is being allowed to slurp up yottabytes of raw raw email traffic, with attached email addresses, and then being allowed to run electronic database queries cross-correlating patterns of communication, with the goal of finding patterns that are suspicious. The "key" word or phrases they are cross-correlating aren't known to belong to any specific person or address at the time that they are being searched - the search is for a statistically significant "outlier" in the reams and reams of data - so it could (and probably was) argued that no one person's rights are violated. And, as its for the goal of national security, in the post-9/11 world, its all likely fair game at this point, the Constitutional niceties be damned.

    By the way, I didn't glean information on how literally billions of dollars of money appropriated for national security was siphoned off for the construction of several (seven, I believe) massive electronic data-slurping edifices from secret files. See the story in Wired magazine from about a year ago.

    One nice thing about being over 60, and a nerd/geek before it was a compliment to one's intellect, and having taken the time to read over the years, is that there is really not much that is fundamentally new. Details change, technology gets more complicated, but the basic players, and their goals and strategies remain the same.

    "The Puzzle Palace" is still a great read, by the way, for those who want to hone their paranoid instincts. For instance, when the President signed the law that established the NSA, the name of the agency wasn't allowed to be printed in the document tha he was signing - its presence was divulged on an need to know basis, and he was not considered to have to know. Until the 1970's it was illegal for any publisher in the US to publish anything that named the agency. A head of the CIA (Admiral Stansfield Turner, if I recall correctly) had also been head of the NSA for a time - asked to compare the two agencies (the existence of the NSA had been revealed by then), he reportedly stated that the budget of the NSA "dwarfed" the budgets of the CIA and FBI combined. When IBM was estimating its computing power in in hundreds of square yards, the CIA was estimating its computing power for Congress in terms of acres.

    Happy dreams.

  37. Shaha Alam

    i don't get it

    any other organisation that conducted themselves in this way would be branded as criminal and investigated.

    what's the difference here?

  38. fLaMePrOoF
    Big Brother

    "What the NSA appears to have done is circumvent or nobble the software and hardware that underpin widely used encryption systems, rather than all-out breaking the mathematical foundations of modern-day cryptography."

    This puts the US / UK attitude towards Huawei & other Chinese firms in an interesting perspective...

    It may be that western spooks aren't so much concerned with China's ability to compromise Chinese built kit, but rather THEIR INABILITY to compromise it...

  39. Anonymous Coward
    Anonymous Coward

    Scared Chickens

    First, where is the proof ? This article is full on incoherent, unrelated arguments mixed together into an ugly stew.

    I am still not convinced RC4 has been broken. If I have something which I need to hide from NSA/CGHQ, sure as hell I will not use RC4. I will use something like RC4+MyFeistel. With MyFeistel being a cipher of my own invention, not being published.

    1. Anonymous Coward
      Anonymous Coward

      Re: Scared Chickens

      Read

      http://en.wikipedia.org/wiki/Feistel_cipher

      Mr Feistel was a great man, as you can instantly convert any (nonlinear) function into a cryptosystem without much effort. If you know how to make "good" hash functions, you can use the Feistel ladder to quickly build something very secure. E.g. H(x)=RandomTableOfValues.

      Then a quite strong Feistel function would be

      F(_32bitsinput) = RandomTableOfValues(32bitsinput & 0xff) ^ RandomTableOfValues( (32bitsinput >> 8 )& 0xff) >> 1 ^ RandomTableOfValues( (32bitsinput >> 16 )& 0xff) >> 2 ^ RandomTableOfValues( (32bitsinput >> 24 )& 0xff) >> 3 ^ SecretKey

      RandomTableOfValues being a list of 256 random 32bit integers. Like the fraction of PI or the Euler Number. Or what your dice says.

      Mr Feistel is probably their biggest Nemesis. Ironically, he was paid by USAF to invent this.

    2. Daniel B.

      Re: Scared Chickens

      RC4 has enough attacks against it that it is no longer considered "really secure" by cryptoanalysts. It is probably why FIPS 140-2 doesn't have it within its approved ciphers anymore. The best bet would be to use SSL with AES/GCM but the GCM part isn't quite supported by everyone yet ... still, AES is still a much better bet than RC4 anything or 3DES anything.

      1. Anonymous Coward
        Anonymous Coward

        @Daniel B:3DES, Really ?

        I know that the first few thousand bytes from RC4 can be used to infer the RC4 internal state, which is somewhat serious. You could still discard the first couple of thousand bytes, though.

        Your claim that AES is "better" (in which ways ?) than AES is highly dubious, though. Afaik, there are no real break-ins to DES known, except for exhaustive keyspace iteration. That one is lame, as 3DES has a keyspace of 112 bits. Too much for anyone on the globe, as the sum of all global electricity generated would not be enough to compute in hundreds of years. DES was purposefully weakened to 56bit keyspace, but the general design is still excellent.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Daniel B: And

          There are rumours the German gubmint uses a DES-like cipher for their diplomatic cipher activities.

This topic is closed for new posts.

Other stories you might like